Input validation is required to avoid 500 errors

[Robin-Van-de-Merghel]

In every endpoint where we handle numbers, we must verify that the input is less than a certain (fixed) maximum.

Sometimes, the db raises 500 errors for multiple reasons:

• In the job query for example pymysql.err.ProgrammingError, setting $\text{page number }>100$
• In a PR I'm doing for Pilots where I insert an int in the db, I have a pymysql.err.DataError) (1264, "Out of range value for column ...")

I did not check every endpoint, but we should have for every type that we input in an endpoint and that will be used in the DB, something to check if it's valid or not.

This should be the same for strings, because we set in the schema a maximum length.

[aldbr]

From ddev: There is a mechanism in FastAPI for numeric values

• Review the current code for numeric values
• Based on the list, we can decide which values should be protected (then we can open new issues with better scope)

[Stellatsuu]

Numeric values found in endpoints:

• Auth: /legacy-exchange
  

  diracx/diracx-routers/src/diracx/routers/auth/token.py

  Line 185 in e5f7012

  expires_minutes: int | None = None,

• Job Query: /search
  

  diracx/diracx-routers/src/diracx/routers/jobs/query.py

  Lines 135 to 136 in e5f7012

  	page: int = 1,
  	per_page: int = 100,

  
  Also, this exists but isn't used:
  

  diracx/diracx-routers/src/diracx/routers/jobs/query.py

  Line 29 in e5f7012

  MAX_PER_PAGE = 10000

• Jobs Sandboxes:
  /{job_id}/sandbox
  

  diracx/diracx-routers/src/diracx/routers/jobs/sandboxes.py

  Line 108 in e5f7012

  job_id: int,

  
  /{job_id}/sandbox/{sandbox_type}
  

  diracx/diracx-routers/src/diracx/routers/jobs/sandboxes.py

  Line 120 in e5f7012

  job_id: int,

  
  /{job_id}/sandbox/output
  

  diracx/diracx-routers/src/diracx/routers/jobs/sandboxes.py

  Line 133 in e5f7012

  job_id: int,

  
  /{job_id}/sandbox
  

  diracx/diracx-routers/src/diracx/routers/jobs/sandboxes.py

  Line 156 in e5f7012

  job_id: int,

  
  /sandbox/unassign
  

  diracx/diracx-routers/src/diracx/routers/jobs/sandboxes.py

  Line 187 in e5f7012

  job_ids: Annotated[list[int], Body(embed=True)],

• Jobs Status:
  /status
  

  diracx/diracx-routers/src/diracx/routers/jobs/status.py

  Line 73 in e5f7012

  dict[int, dict[datetime, JobStatusUpdate]],

  
  /heartbeat
  

  diracx/diracx-routers/src/diracx/routers/jobs/status.py

  Line 162 in e5f7012

  data: Annotated[dict[int, HeartbeatData], Body(openapi_examples=EXAMPLE_HEARTBEAT)],

  
  /reschedule
  

  diracx/diracx-routers/src/diracx/routers/jobs/status.py

  Line 206 in e5f7012

  job_ids: Annotated[list[int], Body(embed=True)],

  
  /metadata
  

  diracx/diracx-routers/src/diracx/routers/jobs/status.py

  Line 267 in e5f7012

  updates: Annotated[dict[int, JobMetaData], Body(openapi_examples=EXAMPLE_METADATA)],

FastAPI documentation about Numeric values validation: https://fastapi.tiangolo.com/tutorial/path-params-numeric-validations/?h=numeric+validation#recap
Also, about String values validation: https://fastapi.tiangolo.com/tutorial/query-params-str-validations/

[aldbr]

Are you taking care of that issue for the sprint @Stellatsuu?

[Stellatsuu]

I can take care of it I think yes, I'm just not sure about your comment @aldbr

Based on the list, we can decide which values should be protected (then we can open new issues with better scope)

Should I wait for another issue or for more information?

[aldbr]

Thanks for the review @Stellatsuu! It looks complete to me 🙂
There are not so many values, you can go ahead with the PR. If you have any doubt about what to do with a given value, don't hesitate to ask us.
For instance MAX_PER_PAGE is also define in logic. You can potentially reuse it in routers.
Don't forget to add some unit tests that currently do not pass and that would pass with your changes.

Thanks!